feat: merge the verifier types (#336)

BREAKING CHANGE: - The various verifier types are merged into a oidc.Verifir. - oidc.Verfier became a struct with exported fields * use type aliases for oidc.Verifier this binds the correct contstructor to each verifier usecase. * fix: handle the zero cases for oidc.Time * add unit tests to oidc verifier * fix: correct returned field for JWTTokenRequest JWTTokenRequest.GetIssuedAt() was returning the ExpiresAt field. This change corrects that by returning IssuedAt instead.
2023-03-22 19:18:41 +02:00 · 2023-03-22 19:18:41 +02:00 · 33c716ddcf
commit 33c716ddcf
parent c8cf15e266
29 changed files with 948 additions and 351 deletions
--- a/pkg/oidc/token_request.go
+++ b/pkg/oidc/token_request.go
@ -192,7 +192,7 @@ func (j *JWTTokenRequest) GetExpiration() time.Time {

 // GetIssuedAt implements the Claims interface
 func (j *JWTTokenRequest) GetIssuedAt() time.Time {
-	return j.ExpiresAt.AsTime()
+	return j.IssuedAt.AsTime()
 }

 // GetNonce implements the Claims interface
--- a/pkg/oidc/types.go
+++ b/pkg/oidc/types.go
@ -173,10 +173,16 @@ func NewEncoder() *schema.Encoder {
 type Time int64

 func (ts Time) AsTime() time.Time {
+	if ts == 0 {
+		return time.Time{}
+	}
 	return time.Unix(int64(ts), 0)
 }

 func FromTime(tt time.Time) Time {
+	if tt.IsZero() {
+		return 0
+	}
 	return Time(tt.Unix())
 }

--- a/pkg/oidc/types_test.go
+++ b/pkg/oidc/types_test.go
@ -7,6 +7,7 @@ import (
 	"strconv"
 	"strings"
 	"testing"
+	"time"

 	"github.com/gorilla/schema"
 	"github.com/stretchr/testify/assert"
@ -467,6 +468,56 @@ func TestNewEncoder(t *testing.T) {
 	assert.Equal(t, a, b)
 }

+func TestTime_AsTime(t *testing.T) {
+	tests := []struct {
+		name string
+		ts   Time
+		want time.Time
+	}{
+		{
+			name: "unset",
+			ts:   0,
+			want: time.Time{},
+		},
+		{
+			name: "set",
+			ts:   1,
+			want: time.Unix(1, 0),
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := tt.ts.AsTime()
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}
+
+func TestTime_FromTime(t *testing.T) {
+	tests := []struct {
+		name string
+		tt   time.Time
+		want Time
+	}{
+		{
+			name: "zero",
+			tt:   time.Time{},
+			want: 0,
+		},
+		{
+			name: "set",
+			tt:   time.Unix(1, 0),
+			want: 1,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := FromTime(tt.tt)
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}
+
 func TestTime_UnmarshalJSON(t *testing.T) {
 	type dst struct {
 		UpdatedAt Time `json:"updated_at"`
--- a/pkg/oidc/verifier.go
+++ b/pkg/oidc/verifier.go
@ -61,10 +61,19 @@ var (
 	ErrAtHash                  = errors.New("at_hash does not correspond to access token")
 )

-type Verifier interface {
-	Issuer() string
-	MaxAgeIAT() time.Duration
-	Offset() time.Duration
+// Verifier caries configuration for the various token verification
+// functions. Use package specific constructor functions to know
+// which values need to be set.
+type Verifier struct {
+	Issuer            string
+	MaxAgeIAT         time.Duration
+	Offset            time.Duration
+	ClientID          string
+	SupportedSignAlgs []string
+	MaxAge            time.Duration
+	ACR               ACRVerifier
+	KeySet            KeySet
+	Nonce             func(ctx context.Context) string
 }

 // ACRVerifier specifies the function to be used by the `DefaultVerifier` for validating the acr claim
@ -121,6 +130,11 @@ func CheckAudience(claims Claims, clientID string) error {
 	return nil
 }

+// CheckAuthorizedParty checks azp (authorized party) claim requirements.
+//
+// If the ID Token contains multiple audiences, the Client SHOULD verify that an azp Claim is present.
+// If an azp Claim is present, the Client SHOULD verify that its client_id is the Claim Value.
+// https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
 func CheckAuthorizedParty(claims Claims, clientID string) error {
 	if len(claims.GetAudience()) > 1 {
 		if claims.GetAuthorizedParty() == "" {
@ -167,26 +181,26 @@ func CheckSignature(ctx context.Context, token string, payload []byte, claims Cl
 }

 func CheckExpiration(claims Claims, offset time.Duration) error {
-	expiration := claims.GetExpiration().Round(time.Second)
-	if !time.Now().UTC().Add(offset).Before(expiration) {
+	expiration := claims.GetExpiration()
+	if !time.Now().Add(offset).Before(expiration) {
 		return ErrExpired
 	}
 	return nil
 }

 func CheckIssuedAt(claims Claims, maxAgeIAT, offset time.Duration) error {
-	issuedAt := claims.GetIssuedAt().Round(time.Second)
+	issuedAt := claims.GetIssuedAt()
 	if issuedAt.IsZero() {
 		return ErrIatMissing
 	}
-	nowWithOffset := time.Now().UTC().Add(offset).Round(time.Second)
+	nowWithOffset := time.Now().Add(offset).Round(time.Second)
 	if issuedAt.After(nowWithOffset) {
 		return fmt.Errorf("%w: (iat: %v, now with offset: %v)", ErrIatInFuture, issuedAt, nowWithOffset)
 	}
 	if maxAgeIAT == 0 {
 		return nil
 	}
-	maxAge := time.Now().UTC().Add(-maxAgeIAT).Round(time.Second)
+	maxAge := time.Now().Add(-maxAgeIAT).Round(time.Second)
 	if issuedAt.Before(maxAge) {
 		return fmt.Errorf("%w: must not be older than %v, but was %v (%v to old)", ErrIatToOld, maxAge, issuedAt, maxAge.Sub(issuedAt))
 	}
@ -216,8 +230,8 @@ func CheckAuthTime(claims Claims, maxAge time.Duration) error {
 	if claims.GetAuthTime().IsZero() {
 		return ErrAuthTimeNotPresent
 	}
-	authTime := claims.GetAuthTime().Round(time.Second)
-	maxAuthTime := time.Now().UTC().Add(-maxAge).Round(time.Second)
+	authTime := claims.GetAuthTime()
+	maxAuthTime := time.Now().Add(-maxAge).Round(time.Second)
 	if authTime.Before(maxAuthTime) {
 		return fmt.Errorf("%w: must not be older than %v, but was %v (%v to old)", ErrAuthTimeToOld, maxAge, authTime, maxAuthTime.Sub(authTime))
 	}
--- a/pkg/oidc/verifier_parse_test.go
+++ b/pkg/oidc/verifier_parse_test.go
@ -0,0 +1,128 @@
+package oidc_test
+
+import (
+	"context"
+	"encoding/json"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	tu "github.com/zitadel/oidc/v3/internal/testutil"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
+)
+
+func TestParseToken(t *testing.T) {
+	token, wantClaims := tu.ValidIDToken()
+	wantClaims.SignatureAlg = "" // unset, because is not part of the JSON payload
+
+	wantPayload, err := json.Marshal(wantClaims)
+	require.NoError(t, err)
+
+	tests := []struct {
+		name        string
+		tokenString string
+		wantErr     bool
+	}{
+		{
+			name:        "split error",
+			tokenString: "nope",
+			wantErr:     true,
+		},
+		{
+			name:        "base64 error",
+			tokenString: "foo.~.bar",
+			wantErr:     true,
+		},
+		{
+			name:        "success",
+			tokenString: token,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			gotClaims := new(oidc.IDTokenClaims)
+			gotPayload, err := oidc.ParseToken(tt.tokenString, gotClaims)
+			if tt.wantErr {
+				assert.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+			assert.Equal(t, wantClaims, gotClaims)
+			assert.JSONEq(t, string(wantPayload), string(gotPayload))
+		})
+	}
+}
+
+func TestCheckSignature(t *testing.T) {
+	errCtx, cancel := context.WithCancel(context.Background())
+	cancel()
+
+	token, _ := tu.ValidIDToken()
+	payload, err := oidc.ParseToken(token, &oidc.IDTokenClaims{})
+	require.NoError(t, err)
+
+	type args struct {
+		ctx              context.Context
+		token            string
+		payload          []byte
+		supportedSigAlgs []string
+	}
+	tests := []struct {
+		name    string
+		args    args
+		wantErr error
+	}{
+		{
+			name: "parse error",
+			args: args{
+				ctx:     context.Background(),
+				token:   "~",
+				payload: payload,
+			},
+			wantErr: oidc.ErrParse,
+		},
+		{
+			name: "default sigAlg",
+			args: args{
+				ctx:     context.Background(),
+				token:   token,
+				payload: payload,
+			},
+		},
+		{
+			name: "unsupported sigAlg",
+			args: args{
+				ctx:              context.Background(),
+				token:            token,
+				payload:          payload,
+				supportedSigAlgs: []string{"foo", "bar"},
+			},
+			wantErr: oidc.ErrSignatureUnsupportedAlg,
+		},
+		{
+			name: "verify error",
+			args: args{
+				ctx:     errCtx,
+				token:   token,
+				payload: payload,
+			},
+			wantErr: oidc.ErrSignatureInvalid,
+		},
+		{
+			name: "inequal payloads",
+			args: args{
+				ctx:     context.Background(),
+				token:   token,
+				payload: []byte{0, 1, 2},
+			},
+			wantErr: oidc.ErrSignatureInvalidPayload,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			claims := new(oidc.TokenClaims)
+			err := oidc.CheckSignature(tt.args.ctx, tt.args.token, tt.args.payload, claims, tt.args.supportedSigAlgs, tu.KeySet{})
+			assert.ErrorIs(t, err, tt.wantErr)
+		})
+	}
+}
--- a/pkg/oidc/verifier_test.go
+++ b/pkg/oidc/verifier_test.go
@ -0,0 +1,374 @@
+package oidc
+
+import (
+	"errors"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestDecryptToken(t *testing.T) {
+	const tokenString = "ABC"
+	got, err := DecryptToken(tokenString)
+	require.NoError(t, err)
+	assert.Equal(t, tokenString, got)
+}
+
+func TestDefaultACRVerifier(t *testing.T) {
+	acrVerfier := DefaultACRVerifier([]string{"foo", "bar"})
+
+	tests := []struct {
+		name    string
+		acr     string
+		wantErr string
+	}{
+		{
+			name: "ok",
+			acr:  "bar",
+		},
+		{
+			name:    "error",
+			acr:     "hello",
+			wantErr: "expected one of: [foo bar], got: \"hello\"",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := acrVerfier(tt.acr)
+			if tt.wantErr != "" {
+				assert.EqualError(t, err, tt.wantErr)
+				return
+			}
+			require.NoError(t, err)
+		})
+	}
+}
+
+func TestCheckSubject(t *testing.T) {
+	tests := []struct {
+		name    string
+		claims  Claims
+		wantErr error
+	}{
+		{
+			name:    "missing",
+			claims:  &TokenClaims{},
+			wantErr: ErrSubjectMissing,
+		},
+		{
+			name: "ok",
+			claims: &TokenClaims{
+				Subject: "foo",
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := CheckSubject(tt.claims)
+			assert.ErrorIs(t, err, tt.wantErr)
+		})
+	}
+}
+
+func TestCheckIssuer(t *testing.T) {
+	const issuer = "foo.bar"
+	tests := []struct {
+		name    string
+		claims  Claims
+		wantErr error
+	}{
+		{
+			name:    "missing",
+			claims:  &TokenClaims{},
+			wantErr: ErrIssuerInvalid,
+		},
+		{
+			name: "wrong",
+			claims: &TokenClaims{
+				Issuer: "wrong",
+			},
+			wantErr: ErrIssuerInvalid,
+		},
+		{
+			name: "ok",
+			claims: &TokenClaims{
+				Issuer: issuer,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := CheckIssuer(tt.claims, issuer)
+			assert.ErrorIs(t, err, tt.wantErr)
+		})
+	}
+}
+
+func TestCheckAudience(t *testing.T) {
+	const clientID = "foo.bar"
+	tests := []struct {
+		name    string
+		claims  Claims
+		wantErr error
+	}{
+		{
+			name:    "missing",
+			claims:  &TokenClaims{},
+			wantErr: ErrAudience,
+		},
+		{
+			name: "wrong",
+			claims: &TokenClaims{
+				Audience: []string{"wrong"},
+			},
+			wantErr: ErrAudience,
+		},
+		{
+			name: "ok",
+			claims: &TokenClaims{
+				Audience: []string{clientID},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := CheckAudience(tt.claims, clientID)
+			assert.ErrorIs(t, err, tt.wantErr)
+		})
+	}
+}
+
+func TestCheckAuthorizedParty(t *testing.T) {
+	const clientID = "foo.bar"
+	tests := []struct {
+		name    string
+		claims  Claims
+		wantErr error
+	}{
+		{
+			name: "single audience, no azp",
+			claims: &TokenClaims{
+				Audience: []string{clientID},
+			},
+		},
+		{
+			name: "multiple audience, no azp",
+			claims: &TokenClaims{
+				Audience: []string{clientID, "other"},
+			},
+			wantErr: ErrAzpMissing,
+		},
+		{
+			name: "single audience, with azp",
+			claims: &TokenClaims{
+				Audience:        []string{clientID},
+				AuthorizedParty: clientID,
+			},
+		},
+		{
+			name: "multiple audience, with azp",
+			claims: &TokenClaims{
+				Audience:        []string{clientID, "other"},
+				AuthorizedParty: clientID,
+			},
+		},
+		{
+			name: "wrong azp",
+			claims: &TokenClaims{
+				AuthorizedParty: "wrong",
+			},
+			wantErr: ErrAzpInvalid,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := CheckAuthorizedParty(tt.claims, clientID)
+			assert.ErrorIs(t, err, tt.wantErr)
+		})
+	}
+}
+
+func TestCheckExpiration(t *testing.T) {
+	const offset = time.Minute
+	tests := []struct {
+		name    string
+		claims  Claims
+		wantErr error
+	}{
+		{
+			name:    "missing",
+			claims:  &TokenClaims{},
+			wantErr: ErrExpired,
+		},
+		{
+			name: "expired",
+			claims: &TokenClaims{
+				Expiration: FromTime(time.Now().Add(-2 * offset)),
+			},
+			wantErr: ErrExpired,
+		},
+		{
+			name: "valid",
+			claims: &TokenClaims{
+				Expiration: FromTime(time.Now().Add(2 * offset)),
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := CheckExpiration(tt.claims, offset)
+			assert.ErrorIs(t, err, tt.wantErr)
+		})
+	}
+}
+
+func TestCheckIssuedAt(t *testing.T) {
+	const offset = time.Minute
+	tests := []struct {
+		name      string
+		maxAgeIAT time.Duration
+		claims    Claims
+		wantErr   error
+	}{
+		{
+			name:    "missing",
+			claims:  &TokenClaims{},
+			wantErr: ErrIatMissing,
+		},
+		{
+			name: "future",
+			claims: &TokenClaims{
+				IssuedAt: FromTime(time.Now().Add(time.Hour)),
+			},
+			wantErr: ErrIatInFuture,
+		},
+		{
+			name: "no max",
+			claims: &TokenClaims{
+				IssuedAt: FromTime(time.Now()),
+			},
+		},
+		{
+			name:      "past max",
+			maxAgeIAT: time.Minute,
+			claims: &TokenClaims{
+				IssuedAt: FromTime(time.Now().Add(-time.Hour)),
+			},
+			wantErr: ErrIatToOld,
+		},
+		{
+			name:      "within max",
+			maxAgeIAT: time.Hour,
+			claims: &TokenClaims{
+				IssuedAt: FromTime(time.Now()),
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := CheckIssuedAt(tt.claims, tt.maxAgeIAT, offset)
+			assert.ErrorIs(t, err, tt.wantErr)
+		})
+	}
+}
+
+func TestCheckNonce(t *testing.T) {
+	const nonce = "123"
+	tests := []struct {
+		name    string
+		claims  Claims
+		wantErr error
+	}{
+		{
+			name:    "missing",
+			claims:  &TokenClaims{},
+			wantErr: ErrNonceInvalid,
+		},
+		{
+			name: "wrong",
+			claims: &TokenClaims{
+				Nonce: "wrong",
+			},
+			wantErr: ErrNonceInvalid,
+		},
+		{
+			name: "ok",
+			claims: &TokenClaims{
+				Nonce: nonce,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := CheckNonce(tt.claims, nonce)
+			assert.ErrorIs(t, err, tt.wantErr)
+		})
+	}
+}
+
+func TestCheckAuthorizationContextClassReference(t *testing.T) {
+	tests := []struct {
+		name    string
+		acr     ACRVerifier
+		wantErr error
+	}{
+		{
+			name:    "error",
+			acr:     func(s string) error { return errors.New("oops") },
+			wantErr: ErrAcrInvalid,
+		},
+		{
+			name: "ok",
+			acr:  func(s string) error { return nil },
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := CheckAuthorizationContextClassReference(&IDTokenClaims{}, tt.acr)
+			assert.ErrorIs(t, err, tt.wantErr)
+		})
+	}
+}
+
+func TestCheckAuthTime(t *testing.T) {
+	tests := []struct {
+		name    string
+		claims  Claims
+		maxAge  time.Duration
+		wantErr error
+	}{
+		{
+			name:   "no max age",
+			claims: &TokenClaims{},
+		},
+		{
+			name:    "missing",
+			claims:  &TokenClaims{},
+			maxAge:  time.Minute,
+			wantErr: ErrAuthTimeNotPresent,
+		},
+		{
+			name:   "expired",
+			maxAge: time.Minute,
+			claims: &TokenClaims{
+				AuthTime: FromTime(time.Now().Add(-time.Hour)),
+			},
+			wantErr: ErrAuthTimeToOld,
+		},
+		{
+			name:   "ok",
+			maxAge: time.Minute,
+			claims: &TokenClaims{
+				AuthTime: NowTime(),
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := CheckAuthTime(tt.claims, tt.maxAge)
+			assert.ErrorIs(t, err, tt.wantErr)
+		})
+	}
+}